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DETAILED ACTION 

1 . This is in response to the amendment filed on 3 1 October 2006. 

2. Claims 1-23 are pending in the application. 

3. Claims 1-23 have been rejected. 

Continued Examination Under 3 7 CFR 1,114 

4. A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 
CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible 
for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been 
timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 
1.114. Applicant's submission filed on 3 1 October 2006 has been entered. 

Response to Arguments 

5. Applicant's arguments with respect to claims 1-23 have been considered but are moot in view 
of the new ground(s) of rejection. 
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Claim Rejections - 35 USC § 102 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(bX by another filed 
in the United States before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by another filed in the United States before the invention by the applicant for patent, except that an 
international application filed under the treaty defined in section 351(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application designated the United 
States and was published under Article 21(2) of such treaty in the English language. 

6. Claims 1, 2, 5, 6, 9, 10, 12, 13, 16-19 and 21-23 are rejected under 35 U.S.C. 102(e) as 
being anticipated by Stone et al U.S. Patent No. 7,062,782 Bl. 

As to claim 1, Stone et al discloses a method for tracing a denial-of-service attack on a 
victim machine back towards its source, comprising steps of: 

operating a traceback program on at least one path to receive two input 
parameters, (a) an IP address (v) of the victim machine and (b) an IP address (r) 
of a router that is immediately upstream of the victim machine [column 4 line 49 
to column 5 line 5]; 

determining a set of routers that are neighbors (n) of r [column 5, lines 6- 

19]; 

for each neighbor n of r, determining if r is n's next-hop for traffic 
addressed to v, or to a network that v is on, where node n's next-hop for traffic 
addressed to v is the IP address of the node that n will forward a packet to if the 
destination address in the packet is v [column 6, lines 48-66]. 

if r is not n's next-hop for traffic addressed to v, skip over n and query the 
next neighbor of r, while if r is n's next-hop for traffic addressed to v, determining 
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an amount of traffic that n is forwarding to r that is addressed to v [column 7, 
lines 16-45]. 

after determining the identity of the neighbor n of r that is the principal 
source of packets flowing to r that are addressed to continuing one node further 
upstream from the determined neighbor n of r that is the principal source of 
packets flowing to r that are addressed to v, and continuing to traceback through 
interconnected routers until a source of denial-of-service attack packets to v is 
determined or until fiirther traceback is not possible [column 10, lines 23-44]. 
As to claims 2 and 10, Stone et al discloses that the step of determining the set of 
neighbors comprises a step of sending at least one query to r to obtain information from a MIB 
that stores IP addresses of routers that are neighbors of r [column 5, lines 50-55]. 

As to claims 5 and 12, Stone et al discloses that the step of determining an amount of 
traffic comprises a step of sending at least one message to a neighbor router n for determining a 
count of packets that router n is sending to router r that are addressed to v or to a network on 
which V resides [column 6, lines 29-47]. 

As to claims 6 and 13, Stone et al discloses a step of establishing a black hole host route 
to V as close as is possible to the source of the denial-of-service attack packets [column 9, lines 
28-39]. 

As to claim 9, Stone et al discloses a backtracking unit for tracing a denial-of-service- 
attack on a victim machine back towards its source, comprising a computer-readable media for 
receiving a first input parameter of an IP address (v) of the victim machine and a second input 
parameter of an IP address (r) of a router that is immediately upstream of the victim machine 
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[column 4 line 49 to column 5 line 5], the trackback computer program controlling operation of 
the data processor to determine a set of routers that are neighbors (n) of r [column 5, lines 6-19], 
for each neighbor n of r, determining if r is n's next-hop for traffic addressed to v, where node n's 
next-hop for traffic addressed to v is the IP address of the node that n will forward a packet to if 
the destination address in the packet is v, the traceback computer program further controlling 
operation of the data processor for the case where r is not n's next-hop for traffic addressed to v, 
to skip over n and to query the next neighbor of r, while for the case where r is n's next-hop for 
traffic addressed to v, to determine an amount of traffic that n is forwarding to r that is addressed 
to V [column 6, lines 48-66], and after determining the identity of the neighbor n of r that is the 
principal source of packets flowing to r that are addressed to v or to a network to which v is 
connected, for continuing one node further upstream from the determined neighbor n of r that is 
the principal source of packets flowing to r that are addressed to v to continue to traceback 
through interconnected routers until a source of denial-of-service attack packets to v is 
determined or until further traceback is not possible [column 10, lines 23-44]. 

As to claim 16, Stone et al discloses a method for determining an identity of a source of 
undesirable packets received from a data communications network, comprising steps of: 

operating a traceback program on at least one path to receive two input 
parameters, (a) an IP address (v) of the victim machine and (b) an IP address (r) 
of a router that is immediately upstream of the victim machine [column 4 line 49 
to column 5 line 5]; 

determining a set of routers that are neighbors (n) of r [column 5, lines 6- 

19]; 
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for each neighbor n of r, determining if r is n's next-hop for traffic 
addressed to v, or to a network that v is on, where node n's next-hop for traffic 
addressed to v is the IP address of the node that n will forward a packet to if the 
destination address in the packet is v [column 6, lines 48-66]. 

if r is not n's next-hop for traffic addressed to v, skip over n and query the 
next neighbor of r, while if r is n's next-hop for traffic addressed to v, determining 
an amount of traffic that n is forwarding to r that is addressed to v [column 7, 
lines 16-45]. 

after determining the identity of the neighbor n of r that is the principal 
source of packets flowing to r that are addressed to v, continuing one node fiirther 
upstream from the determined neighbor n of r that is the principal source of 
packets flowing to r that are addressed to v, and continuing to traceback through 
interconnected routers until a source of denial-of-service attack packets to v is 
determined or until further traceback is not possible [column 10, lines 23-44]. 
As to claim 17, Stone et al discloses that the steps of determining and querying each 
comprise a step of sending queries to the data communications network [column 6, lines 29-47]. 

As to claim 18, Stone et al discloses that the step of querying comprises steps of: sending 
a first network message to a packet router for instructing the packet router to determine a number 
of packets that it is sending addressed to v [column 6, lines 29-47]. Stone et al discloses sending 
a second network message to the packet router to query the packet router for the determined 
number [column 6, lines 29-47]. 
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As to claim 19, Stone et al discloses that the step of querying comprises a step of sending 
at least one message to a packet router for determining a number of packets being forwarded to 
or towards v [column 6, lines 29-47]. 

As to claim 21, Stone et al discloses that the step of operating the traceback function 
operates the traceback function on a plurality of selected paths [column 9, lines 14-39]. Stone et 
al discloses that a particular path is selected based at least on an amount of traffic flowing 
through the path traceback through interconnected routers until a source of denial-of-service 
attack packets to v is determined, or until further traceback is not possible [column 9, lines 14- 
39]. 

As to claim 22, Stone et al discloses a method for tracing a denial-of-service attack on a 
victim machine back towards its source, comprising steps of: 

operating a traceback program on at least one path to receive two input 
parameters, (a) an IP address (v) of the victim machine and (b) an IP address (r) 
of a router that is immediately upstream of the victim machine [column 4 line 49 
to column 5 line 5]; 

determining a set of routers that are neighbors (n) of r [column 5, lines 6- 

19]; 

for each neighbor n of r, determining if r is n's next-hop for traffic 
' addressed to v, or to a network that v is on, where node n's next-hop for traffic 
addressed to v is the IP address of the node that n will forward a packet to if the 
destination address in the packet is v [column 6, lines 48-66]; 
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if r is not n's next-hop for traffic addressed to v, skip over n and query the 
next neighbor of r, while if r is n's next-hop for traffic addressed to v, determining 
an amount of traffic that n is forwarding to r that is addressed to v by sending at 
least one message to a neighbor router n for determining a count of packets that 
router n is sending to router r that are addressed to v or to a network on which v 
resides [column 7, lines 16-45]; 

after determining the identity of the neighbor n of r that is the principal 
source of packets flowing to r that are addressed to v, continuing one node further 
upstream from the determined neighbor n of r that is the principal source of 
packets flowing to r that are addressed to v, and continuing to traceback through 
interconnected routers until a source of denial-of-service attack packets to v is 
determined or until further traceback is not possible [column 10, lines 23-44]; and 
establishing a black hole host route to v as close as is possible to the 
source of the denial-of-service attack packets [column 9, lines 28-39]. 
As to claim 23, Stone et al teaches that the step of operating the traceback function 
operates the traceback function on a plurality of selected paths. Stone et al teaches that a 
particular path is selected based at least on an amount of traffic flowing through the path [column 
7, lines 16-45]. 
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Claim Rejections - 35 USC § 103 
The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

7. Claims 3, 4 and 11 are rejected under 35 U.S.C. 103(a) as being unpatentable over Stone 

et al U.S. Patent No. 7,062,782 Bl as applied to claims 1 and 9 above, and further in view of 

Li et al U.S. Patent No. 6,535,507 BL 

As to claims 3, 4 and 11, Stone et al does not teach that the step of determining if r is n's 
next-hop for traffic addressed to v comprises a step of sending at least one query to router n. 
Stone et al does not teach that the step of sending at least one query queries an IP Forwarding 
Table MIB of router n. 

Li et al teaches determining if r is n's next-hop for traffic addressed to v comprises a step 
of sending at least one query. Li et al teaches sending at least one query queries an IP 
Forwarding Table [column 6, lines 46-54]. 

Therefore, it would have been obvious to a person having ordinary skill in the art at the 
time the invention was made to have modified Stone et al so that if it was determined that if r 
was n's next-hop for traffic addressed to v then a query would have been sent to router n. The 
query would have been an IP Forwarding Table of router n. 

It would have been obvious to a person having ordinary skill in the art at the time the 
invention was made to have modified Stone et al, as described above, by the teaching of Li et al 
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because it provides automated maintenance of translation tables which may be tailored to meet 
the operating policy of network managers that control respective domains [abstract]. 
8. Claims 7 and 14 are rejected under 35 U.S.C. 103(a) as being unpatentable over Stone et 
al U.S. Patent No. 7,062,782 Bl as applied to claims 1 and 9 above, and further in view of 
Hughes U.S. Patent No. 6,636,509 Bl. 

As to claims 7 and 14, Stone et al does not teach a step of establishing a special host route 
to V using the same next hop as an existing route. Stone et al does not teach that the special host 
route tracking changes in the existing route such that when a next hop for the existing route 
changes, the next hop for the host route changes similarly. 

Hughes teaches establishing a special host route to v using the same next hop as an 
existing route. Stone et al does not teach that the special host route tracks changes in the existing 
route such that when a next hop for the existing route changes, the next hop for the host route 
changes similarly [column 6, lines 1 1-67]. 

Therefore, it would have been obvious to a person having ordinary skill in the art at the 
time the invention was made to have modified Stone et al so that there would have been a special 
route using the same next hop as an existing route. The special host route would have tracked 
changes in the existing routes so that when a next hop for the exiting route changed, the next hop 
for the host route would have changed similarly. 

It would have been obvious to a person having ordinary skill in the art at the time the 
invention was made to have modified Stone et al, as described above, by the teaching of Hughes 
because by using special routes it reduces the amount of hops in the routing table [column 3, 
lines 6-29] 
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9, Claims 8 and 15 are rejected under 35 U.S.C 103(a) as being unpatentable over Stone et 
al U.S. Patent No. 7,062,782 Bl as applied to claims 1 and 9 above, and further in view of 
Packer U.S. Patent No. 6,298,041 Bl. 

As to claims 8 and 15, Stone et al does not teach a step of establishing a rate limit for 
packets addressed to v as close as is possible to the source of the denial -of- service attack packets. 

Packer teaches establishing a rate limit for packets addressed [column 4 line 50 to column 
-5 line 7]. 

Therefore, it would have been obvious to a person having ordinary skill in the art at the 
time the invention was made to have modified Stone et al so that there would have been a rate 
limit for packets addressed to v as close as is possible to the source of the denial-of-service 
attack packets. 

It would have been obvious to a person having ordinary skill in the art at the time the 
invention was made to have modified Stone et al, as described above, by the teaching of Packer 
because rate control is introduced into a level of a packet communication environment at which 
there is a lack of data rate supervision to control assignment of available bandwidth from a 
single logical link to network flows [column 3, lines 22-32]. 
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10. Claim 20 is rejected under 35 U.S.C. 103(a) as being unpatentable over Stone et al U.S. 
Patent No. 7,062,782 Bl as applied to claim 16 above, and further in view of Bare U.S. 
Patent No. 6,456,597 Bl. 

As to claim 20, Stone et al does not teach establishing at least one of a black hole host 
route to V as close as is possible to the source of the undesirable packets. Stone et al does not 
teach establishing a special host route to v using the same next hop as an existing route, the 
special host route tracking changes in the existing route such that when a next hop for the 
existing route changes, the next hop for the host route changes similarly. Stone et al does not 
teach establishing a rate-limit for packets addressed to v as close as is possible to the source of 
the denial-of-service attack packets. 

Bare teaches establishing at least one of a black hole host route to v as close as is possible 
to the source of the undesirable packets [column 41 line 66 to column 42 line 45. Bare teaches 
establishing a special host route to v using the same next hop as an existing route, the special 
host route tracking changes in the existing route such that when a next hop for the existing route 
changes, the next hop for the host route changes similarly [column 38 line 33 to column 39 line 
13]. Bare teaches establishing a rate-limit for packets addressed to v as close as is possible to the 
source of the denial-of-service attack packets [column 77, lines 51-60]. 

Therefore, it would have been obvious to a person having ordinary skill in the art at the 
time the invention was made to have modified Stone et al, as described above, so that a black 
hole host route would have been established as close as is possible to the source of the 
undesirable packets. A special host route using the same next hop as an existing route would 
have been established, the special host route tracking changes in the existing route such that 
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when a next hop for the existing route changes, the next hop for the host route changes similarly. 
There would have been a rate-limit for packets addressed to v as close as is possible to the source 
of the denial-of-service attack packets. 



invention was made to have modified Stone et al by the teaching of Packer because using any of 
the above methods, you reroute any undesired packets away from the network. 



11.' Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Aravind K. Moorthy whose telephone number is 571-272-3793. 
The examiner can normally be reached on Monday-Friday, 8:00-5:30. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz R. Sheikh can be reached on 571-272-3795. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



It would have been obvious to a person having ordinary skill in the art at the time the 



Conclusion 





